|
|
|
|
| |
| The COMTREND CT-536 is an 802.11g (54Mbps) wireless and wired Local Area Network (WLAN) ADSL router. Four 10/100 Base-T Ethernet and single USB ports provide wired LAN connectivity with an integrated 802.11g WiFi WLAN Access Point (AP) for wireless connectivity. The CT-536 ADSL router provides state of the art security features such as WPA data encryption; Firewall, VPN pass through. Improper validation of micro_httpd server of the Wifi Router COMTREND permits multiple attacks though this stateless server. Also, access control is inefficient and does not control access at all. Credentials are sent in clear text so "user" could get them easily. |
| |
Credit:
The information has been provided by ISecAuditors Security Advisories.
|
| |
Vulnerable Systems:
* COMTREND CT-536/HG-536+ A101-302JAZ-C01_R05
1. User "user" (least privileged user, read only and limited access configuration reading) can ask to access resources he is not allowed to and the server will return the page asked. This includes the password changing page:
http://192.168.0.1/password.html
2. The router sends the 3 users passwords in clear inside the HTML
3. Some points in the configuration description options are vulnerable to Cross Site Scripting attacks due improper validation:
http://192.168.0.1/scvrtsrv.cmd?action=add&srvName=%3Cscript%3Ealert(%22XSS%22)%3C/script%3E& srvAddr=192.168.1.1&proto=1,&eStart=1,&eEnd=1,&iStart=1,&iEnd=1
4. Some resources (i.e. NAT table are vulnerable to Buffer overflows attacks) through the description fields that seems to kill the micro_httpd server although the router continues routing. Also similar behavior is seen when asking for URLs that add %13 and %10 chars, without matching micro_httpd checks "..", "../", "/../"
5. User "user" accesses with "admin" privileges when connecting through TELNET service
6. User "support" seems to not exist at all
Impact:
DoS of the Web Configuration interface although the router continues routing. DoS of router, causing a set to reset configuration, meaning the start up of Wireless interface (activated by default) without any type of protection and having the possibility to access the router or the network. Reset of router configuration. Access with "admin" (privileged) permissions to user "user".
|
|
|
|
|
